[PHP]Change Character function.

Hey, i am trying to code a simple change character function, to learn a little about php and SQL combined with it.

Now, i coded it but i dont get whats wrong heres my code :

PHP Code:

---

<?php
session_start();

class config
{
private $DB = 'GunzDB';
private $serv = 'GUNZ/SQLEXPRESS';
private $username = 'sa';
private $password = 'Azzakl123';

public function __construct()
{
$con = mssql_connect($this->serv, $this->username, $this->password) or die("<center><font color='red'>Failed to connect to the database!</font></center>");
    mssql_select_db($this->DB, $con) or die("<center><font color='red'>Failed to select the database!</font></center>");
}
}
$oldcharname = $_POST['oldname'];
$newcharname = $_POST['newname'];

function alert($msg){
echo '<script language="javascript">alert("'.$msg.'");</script>';
}

if(isset($_POST['changename']))
{
    $q = mssql_query("SELECT * FROM Character WHERE Name = '".$oldname."' AND SET Name = '".$newname."'");
    $row = mssql_fetch_row($q);
    if($row = mssql_fetch_row($q) == 1)
    {
        echo 'Character '.$oldcharname.' has been changed to '.$newcharname.' .';
    }else{
        echo 'Please Enter BOTH Fields !';
    }
}

?>

---

the error is : Fatal error: Call to undefined function mssql_query() in C:\AppServ\www\testpanel\main.php on line 26

and i have no idea how to fix, and yes abviously its the query problem but what in there is wrong ?! i dont get it, thanks anyway :D:

It means that the php_mssql.dll extension is not loaded in PHP. Take a look at your php.ini file.

Quote:

---

Originally Posted by SuperWaffle

It means that the php_mssql.dll extension is not loaded in PHP. Take a look at your php.ini file.

---

I have done that, it wokred, now i have these errors :

PHP Code:

---

Warning: mssql_query() [function.mssql-query]: Unable to connect to server: (null) in C:\AppServ\www\testpanel\main.php on line 26

Warning: mssql_query() [function.mssql-query]: A link to the server could not be established in C:\AppServ\www\testpanel\main.php on line 26

Warning: mssql_fetch_row(): supplied argument is not a valid MS SQL-result resource in C:\AppServ\www\testpanel\main.php on line 27

Warning: mssql_fetch_row(): supplied argument is not a valid MS SQL-result resource in C:\AppServ\www\testpanel\main.php on line 28
Please Enter BOTH Fields ! 


---

BTW how is the rest of the code, is it alright ? like i mean will it work ? thanks.

Uh not really, if you want my honest opinion: it sucks.
But hey, we all have to start somewhere.

I recommend you to write procedural code first before working with classes. (Because obviously, you don't really understand the purpose of it yet.)

Also, the queries are not correct and it's vulnerable because you're using the raw POST values in the query.

Correct me if I'm wrong, but it looks like your MSSQL connect is incorrect

$serv should be 'GUNZ\SQLEXPRESS' (note the backslash).

The class code looks terrible, you could honestly create a function handler for errors, or even better: don't use classes yet.

You should probably change the query into two, or even three. it would be easier.
Plus, if this is going to be for your users, what is going to check if the name is already used?
You're variables in the query are not the ones you defined for the user input. (There is no $oldname defined)
Also, you're using the mssql_fetch_row wrong. Use mssql_num_rows.
One more, only select the columns you need.

Here is what you could use. You should still sanitize the user input with a anti-sql function. It would become something like $oldname = anti_injection($_POST['oldname']); once you create one.

PHP Code:

---

<?php
if(isset($_POST['changename']))
{
$oldname = $_POST['oldname'];
$newname = $_POST['newname'];
    $query = mssql_query("SELECT Name FROM Character WHERE Name = '".$oldname."'");
    $query2 = mssql_query("SELECT Name FROM Character WHERE Name = '".$newname."'");
    // If both fields are set.
    if($oldname&&$newname)
    {
       // If new character name is already being used.
       if(mssql_num_rows($query2) > 0)
       {
          echo "Character name is already in use!";
       }
       // Else name isn't being used.
       else
       {
          // Check if the character name exists.
          if(mssql_num_rows($query) > 0)
          {
             $change = mssql_query("UPDATE Character SET Name = '$newname' WHERE Name = '$oldname'");
             echo "Character name changed!";
          }
          // Else if the name doesn't exist.
          else
          {
             echo "Character name doesn't exist!";
          }
        }
    }
    // Else if both fields aren't set.
    else
    {
       echo "Please enter both fields!";
    }
}
?>

---

I feel I'm the only who uses sqlsrvr.

I've changed a few things, although I don't see this way the most optimized for this script.

PHP Code:

---

    public function __construct() 
    { 
        $con = mssql_connect($this->serv, $this->username, $this->password); 
        mssql_select_db($this->DB, $con); 
    } 
    
    function alert($msg)
    { 
        echo '<script language="javascript">alert("'.$msg.'");</script>'; 
    } 
    
    
    if(isset($_POST['changename']))
    {
        $oldname = $_POST['oldname'];
        $newname = $_POST['newname'];
        $query = mssql_query("SELECT [Name] FROM [GunzDB].[dbo].[Character] WHERE [Name] = '".$oldname."'");
        $query2 = mssql_query("SELECT [Name] FROM [GunzDB].[dbo].[Character] WHERE [Name] = '".$newname."'");
        // If both fields are set.
        if($oldname&&$newname)
        {
           // If new character name is already being used.
           if(mssql_num_rows($query2) > 0)
              alert("Character name is already in use!");
           // Else name isn't being used.
           else
           {
              // Check if the character name exists.
              if(mssql_num_rows($query) > 0)
              {
                 $change = mssql_query("UPDATE [GunzDB].[dbo].[Character] SET [Name] = '$newname' WHERE [Name] = '$oldname'");
                 alert("Character name changed!");
              }
              // Else if the name doesn't exist.
              else
                 alert("Character name doesn't exist!");
            }
        }
        // Else if both fields aren't set.
        else
           alert("Please enter both fields!");
    } 


---

Quote:

---

Originally Posted by caja

I feel I'm the only who uses sqlsrvr.

I've changed a few things, although I don't see this way the most optimized for this script.

PHP Code:

---

    public function __construct() 
    { 
        $con = mssql_connect($this->serv, $this->username, $this->password); 
        mssql_select_db($this->DB, $con); 
    } 
    
    function alert($msg)
    { 
        echo '<script language="javascript">alert("'.$msg.'");</script>'; 
    } 
    
    
    if(isset($_POST['changename']))
    {
        $oldname = $_POST['oldname'];
        $newname = $_POST['newname'];
        $query = mssql_query("SELECT [Name] FROM [GunzDB].[dbo].[Character] WHERE [Name] = '".$oldname."'");
        $query2 = mssql_query("SELECT [Name] FROM [GunzDB].[dbo].[Character] WHERE [Name] = '".$newname."'");
        // If both fields are set.
        if($oldname&&$newname)
        {
           // If new character name is already being used.
           if(mssql_num_rows($query2) > 0)
              alert("Character name is already in use!");
           // Else name isn't being used.
           else
           {
              // Check if the character name exists.
              if(mssql_num_rows($query) > 0)
              {
                 $change = mssql_query("UPDATE [GunzDB].[dbo].[Character] SET [Name] = '$newname' WHERE [Name] = '$oldname'");
                 alert("Character name changed!");
              }
              // Else if the name doesn't exist.
              else
                 alert("Character name doesn't exist!");
            }
        }
        // Else if both fields aren't set.
        else
           alert("Please enter both fields!");
    } 


---

---

Guess that makes 2 of us.
Code of wesman2232 and caja looks fine, next to the SQLi.

Quote:

---

Originally Posted by SuperWaffle

Uh not really, if you want my honest opinion: it sucks.
But hey, we all have to start somewhere.

I recommend you to write procedural code first before working with classes. (Because obviously, you don't really understand the purpose of it yet.)

Also, the queries are not correct and it's vulnerable because you're using the raw POST values in the query.

---

Your definitly right, cuz it took me a while to learn C++ and i did start somewhere, and about the classes isnt it, basiclly, the same as C++ ? and what is wrong with the POST function ? thank you very much.

Quote:

---

Originally Posted by caja

I feel I'm the only who uses sqlsrvr.

I've changed a few things, although I don't see this way the most optimized for this script.

PHP Code:

---

    public function __construct() 
    { 
        $con = mssql_connect($this->serv, $this->username, $this->password); 
        mssql_select_db($this->DB, $con); 
    } 
    
    function alert($msg)
    { 
        echo '<script language="javascript">alert("'.$msg.'");</script>'; 
    } 
    
    
    if(isset($_POST['changename']))
    {
        $oldname = $_POST['oldname'];
        $newname = $_POST['newname'];
        $query = mssql_query("SELECT [Name] FROM [GunzDB].[dbo].[Character] WHERE [Name] = '".$oldname."'");
        $query2 = mssql_query("SELECT [Name] FROM [GunzDB].[dbo].[Character] WHERE [Name] = '".$newname."'");
        // If both fields are set.
        if($oldname&&$newname)
        {
           // If new character name is already being used.
           if(mssql_num_rows($query2) > 0)
              alert("Character name is already in use!");
           // Else name isn't being used.
           else
           {
              // Check if the character name exists.
              if(mssql_num_rows($query) > 0)
              {
                 $change = mssql_query("UPDATE [GunzDB].[dbo].[Character] SET [Name] = '$newname' WHERE [Name] = '$oldname'");
                 alert("Character name changed!");
              }
              // Else if the name doesn't exist.
              else
                 alert("Character name doesn't exist!");
            }
        }
        // Else if both fields aren't set.
        else
           alert("Please enter both fields!");
    } 


---

---

Thanks for your support :D:

Quote:

---

Originally Posted by Linear8

$serv should be 'GUNZ\SQLEXPRESS' (note the backslash).

The class code looks terrible, you could honestly create a function handler for errors, or even better: don't use classes yet.

---

u should read what SupperWaffle said, i just started coding php a little while ago, dont be so rough on me.

EDIT : Thank you guys very much, i finally managed to do it, and it works thanks :D:

Quote:

---

Originally Posted by caja

I feel I'm the only who uses sqlsrvr.

I've changed a few things, although I don't see this way the most optimized for this script.

PHP Code:

---

    public function __construct() 
    { 
        $con = mssql_connect($this->serv, $this->username, $this->password); 
        mssql_select_db($this->DB, $con); 
    } 
    
    function alert($msg)
    { 
        echo '<script language="javascript">alert("'.$msg.'");</script>'; 
    } 
    
    
    if(isset($_POST['changename']))
    {
        $oldname = $_POST['oldname'];
        $newname = $_POST['newname'];
        $query = mssql_query("SELECT [Name] FROM [GunzDB].[dbo].[Character] WHERE [Name] = '".$oldname."'");
        $query2 = mssql_query("SELECT [Name] FROM [GunzDB].[dbo].[Character] WHERE [Name] = '".$newname."'");
        // If both fields are set.
        if($oldname&&$newname)
        {
           // If new character name is already being used.
           if(mssql_num_rows($query2) > 0)
              alert("Character name is already in use!");
           // Else name isn't being used.
           else
           {
              // Check if the character name exists.
              if(mssql_num_rows($query) > 0)
              {
                 $change = mssql_query("UPDATE [GunzDB].[dbo].[Character] SET [Name] = '$newname' WHERE [Name] = '$oldname'");
                 alert("Character name changed!");
              }
              // Else if the name doesn't exist.
              else
                 alert("Character name doesn't exist!");
            }
        }
        // Else if both fields aren't set.
        else
           alert("Please enter both fields!");
    } 


---

---

I'm going to do a project for a website like Emisand's Admin Panel where you can switch between using ODBC and MSSQL, but also include SQLSERV. I feel like I should know that since MSSQL is no longer being used in the latest PHP

Quote:

---

Originally Posted by Linear88

$serv should be 'GUNZ\SQLEXPRESS' (note the backslash).

The class code looks terrible, you could honestly create a function handler for errors, or even better: don't use classes yet.

---

You shouldn't use SQL Server Express if you plan to run a server.

Quote:

---

Originally Posted by caja

You shouldn't use SQL Server Express if you plan to run a server.

---

Why do you say that? All GunZ servers that I've ever heard of use the SQL EXPRESS Database Engine.

The problem is the Express edition. You need the datacenter version for run the gunz server properly. The express edition is usseles.

Quote:

---

Originally Posted by caja

The problem is the Express edition. You need the datacenter version for run the gunz server properly. The express edition is usseles.

---

It actually runs fine under SQL Express. It's been mentioned in every guide since the release of the 2005 server files anyway, so...

Run SQL Profiler and look all issues is causing the express edition. The problem is that people just do whatever the guides say.

Here you will find all limitations.
Features Supported by the Editions of SQL Server 2008 R2